1. Field of the Invention
The present invention relates generally to computer protection against malware affection and more particularly to a computer program product and a method for protecting a computer against malware affection and with a computer protected against malware affection.
2. Description of the Related Art
Malware is a short term used in the art for malicious software summarizing computer programs performing actions on computer systems without the consent of a user, often developed for the purpose of doing harm to the computer system or the user, and comprises for example so-called viruses, worms, Trojan horses, backdoors and spyware. The intended actions of malware widely varies and include stealing users' personal information, stealing other data, abusing the computer system or simply vandalize.
Usually a target computer is first attacked by malware in a warhead phase exploiting weaknesses of the computer systems, as for example producing a buffer overrun, for enabling a propagation phase. The warhead phase is executed by a very small program code portion of the malware. In the propagation phase the body program code of the malware is transferred to the target computer. Typically several phases follow the propagation phase by executing the body program code as for example a target selection phase, in which the malware is seeking for other computers accessible from the target computer, a scanning phase, in which accessible other computers are checked to be suitable target computers for further propagation, and a payload phase, in which the intended purposes of the malware are performed.
To prevent malware affecting a computer system several protections are known in the art as for example virus filters running on computers or firewalls controlling the traffic between connected computer systems. These protections recognize malware using malware descriptions which define specific characteristics of certain malware. They usually analyze data, check if the data shows some of the specific characteristics and take action if the data is identified as being malware. For example, the data is deleted or quarantined. A common technique for analyzing the data is pattern matching, wherein the data is scanned for predefined specific bit patterns defined to be malware bit patterns in the malware descriptions. The analysis usually is quite processing-intensive and can reduce the performance of the computer system. The effectiveness of the above described protections is highly dependent on the up-to-dateness of the malware descriptions since malware is only recognized after the malware descriptions have been updated. Nevertheless, in the time period between the deployment of malware and the update of the malware descriptions in the computer system the computer system is vulnerable. It is therefore a delicate, difficult, labour-intensive and cost-intensive task to update the descriptions as fast as possible, which is usually done by specialized service providers.
Schmid et al “Protecting data from malicious software”, Proc. 18th Annual Computer Security Applications Conference, 2002, 9-13 Dec. 2002, Piscataway, N.J., USA, IEEE, describes an application called FileMonster®. The FileMonster® application uses a driver that works at the imaginary boundary between the user mode and protected kernel space; it intercepts at the point where user mode function calls are translated into kernel API calls, i.e. using service dispatch tables mapping. This is an undocumented approach.
The W32/Swen.A@mm worm that appeared in September 2003 is described in Frisk Software International: “W32/Swen.A@mm” (retrievable from the Internet at http://web.archive.org/web/20040411010214/http://www.f-prot.com/virusinfo/print/descriptions/swena.html). As a way to persist on the victim computer, the worm made auto-start entries in the Registry so that the system would load the worm's executable code on boot up. A random name was used for the worm's image file to avoid detection, i.e. <random_characters>.exe.
Winability Software Corp's “Folder Guard User's Guide—Using the filters” (retrievable from the Internet at: http://web.archive.org/web/20041023085327/www.winability.com/folderguard/users-guide_filters.htm; see also http://www.winability.com/folderguard/users-guide-printable.htm) describes a system that stops other users from opening or seeing a user's personal files; it can also protect sensitive system files from modification or destruction. Folder Guard allows and disallows program execution using a white list (explicitly allowing certain applications to run) and a black list (explicitly disallowing certain applications to run). This implies the program files already exist on the computer, and Folder Guard performs check to allow or disallow when the program is able to run.
The McAfee® Security “Product Guide—VirusScan Enterprise version 7.0” (7 Mar. 2003) document describes a virus scanning, detection and removal program that can use of file extensions to allow a user to configure the program scanning behaviours. Based on the user's selection, the program can scan the file on ‘read’ access, ‘write access’ or ‘on network’. The application uses conventional scanning and pattern matching techniques to detect viruses. Similarly, the “Sophos® Antivirus—Windows NT/2000/XP single user installation guide” describes an application that scans a file for virus detection on a read access, or on write and other accesses.
EP-A-1,429,247 (Microsoft Corporation) relates to a new approach as to how a file system filter driver should be implemented.
Other known techniques are disclosed in: (a) “Inside On-Access Virus Scanners”, M. Russinovich, Windows & .NET Magazine Network, September 1997 (1997-09); (b) WO 01/61473; and (c) WO 02/061557.
In view of the disadvantages of the hitherto-known, above described protections against malware affection, it is desirable to provide an improved, effective, fast and easy to maintain computer protection against malware.